grpc/rocsp: Allow use of TLSv1.2 and TLSv1.3 (#6600)

beautifulentropy · web-flow · commit 0d6f8569c542 · 2023-01-24T12:53:13.000-08:00
When we clamped our MaxVersion to TLS1.2, there wasn't any support for TLS1.3 yet. Allowing higher versions to be negotiated is good. Fixes #6580
diff --git a/cmd/config.go b/cmd/config.go
@@ -178,10 +178,10 @@ func (t *TLSConfig) Load() (*tls.Config, error) {
 		ClientCAs:    rootCAs,
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		Certificates: []tls.Certificate{cert},
-		// Set the only acceptable TLS version to 1.2 and the only acceptable cipher suite
-		// to ECDHE-RSA-CHACHA20-POLY1305.
-		MinVersion:   tls.VersionTLS12,
-		MaxVersion:   tls.VersionTLS12,
+		// Set the only acceptable TLS to v1.2 and v1.3.
+		MinVersion: tls.VersionTLS12,
+		MaxVersion: tls.VersionTLS13,
+		// CipherSuites will be ignored for TLS v1.3.
 		CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
 	}, nil
 }
diff --git a/test/redis-cluster.config b/test/redis-cluster.config
@@ -28,6 +28,7 @@ user replication-user  on +@all ~* >435e9c4225f08813ef3af7c725f0d30d263b9cd3
 user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
 masteruser replication-user
 masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
+tls-protocols "TLSv1.3"
 tls-cert-file /test/redis-tls/redis/cert.pem
 tls-key-file /test/redis-tls/redis/key.pem
 tls-ca-cert-file /test/redis-tls/minica.pem
diff --git a/test/redis.config b/test/redis.config
@@ -28,6 +28,7 @@ user replication-user  on +@all ~* >435e9c4225f08813ef3af7c725f0d30d263b9cd3
 user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
 masteruser replication-user
 masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
+tls-protocols "TLSv1.3"
 tls-cert-file /test/redis-tls/redis/cert.pem
 tls-key-file /test/redis-tls/redis/key.pem
 tls-ca-cert-file /test/redis-tls/minica.pem
